‘Magic’ Ransomware Is Based On Open-Source Code

Uploaded on 2017-01-18 in NEWS-Cybersecurity News, GOVERNMENT-Law Enforcement, FREE TO VIEW

A new ransomware based on open-source code has been spotted in the wild and it encrypts user files and ads ‘.magic’ extension to them, researchers warn.

Dubbed "Magic, the malware is based on open-source ransomware called eda2, which was created for educational purposes. The Magic Ransomware was created in C# and the masterminds behind it currently demand 1 Bitcoin from users looking to regain access to their data.

Ransomware has become a highly rewarding business for cyber-criminals, with some interested in building their own malware.

Adopting open-source ransomware is a fast way to do that, and the Magic ransomware is proof that perpetrators would do whatever it takes to achieve their nefarious goals.

Magic is the second ransomware discovered this month to have been built upon ransomware created for educational purposes. Recently, Trend Micro discovered that a newly created threat called Ransom_Cryptear.B was based on another educational ransomware publicly available, namely Hidden Tear, which was released as open source in August 2015 by Turkey-based hacker Utku Sen.

Hidden Tear code was used in other malware as well, including Linux.Encoder, which was discovered back in November to pack an encryption flaw that allowed researchers to crack its encryption algorithm.

Recently, Utku Sen said that he managed to break the encryption of Cryptear.B because he intentionally weakened the encryption in Hidden Tear fearing that cybercriminals might abuse it.

Based on the eda2 ransomware kit, the newly discovered Magic malware appears to be the work of low-skilled hackers, Bleeping Computer’s Lawrence Abrams explains in a blog post.

However, the kit includes all necessary code, ranging from ransomware executable to encryption algorithm and PHP web panel used as a Command & Control (C2) server for storing the encryption keys of victims.

Researchers haven’t yet established how Magic is being distributed, but assume manual distribution via hacked terminals services or remote desktop.

The ransomware stores the AES keys used to encrypt files on the C2 servers, but also uses an RSA public key to encrypt them before sending them to the server.

Because the actors using the Magic ransomware are not advanced enough, they use C2 servers hosted on free web sites services, which means that they can be easily taken down.

However, there’s a risk that the free web hosting provider may delete the decryption key databases before security researchers could access them, meaning that victims lose the ability to retrieve their keys.

The ransomware is capable of encrypting a wide array of file extensions and appends the .magic extension to any encrypted file, but it won’t encrypt files located in directories that contain the string $, C:\Windows, or c:\program. After completing the encryption process, it creates the deleteMyProgram.bat batch file and execute it, an operation that uses vssadmin.exe to clear the victim's Shadow Volume Copies and then delete the malware executable.

The ransomware also places ransom notes on the desktop, providing victims with information on what has happened and on what they need to do to decrypt their files.

The actors behind the ransomware use a static bitcoin payment address, which has had no payments sent to it as of yet.

Security Week:     Ransom Worm: The Next Level Of Cybersecurity:    Europol Warning: Crypto-Ransomware Threat:

 

« Drone Warriors Of The US Air Force
2017: Cybersecurity At A Turning Point »

CyberSecurity Jobsite
Perimeter 81
Cyrin

Real Attacks. Real Tools. Real Scenarios.
Schedule a demo

Go Cyber

Training that transforms behaviours

Sign Up: Cyber Security Intelligence Newsletter

Directory of Suppliers

North Infosec Testing (North IT)

North Infosec Testing (North IT)

North IT (North Infosec Testing) are an award-winning provider of web, software, and application penetration testing.

CSI Consulting Services

CSI Consulting Services

Get Advice From The Experts: * Training * Penetration Testing * Data Governance * GDPR Compliance. Connecting you to the best in the business.

Authentic8

Authentic8

Authentic8 transforms how organizations secure and control the use of the web with Silo, its patented cloud browser.

Perimeter 81 / How to Select the Right ZTNA Solution

Perimeter 81 / How to Select the Right ZTNA Solution

Gartner insights into How to Select the Right ZTNA offering. Download this FREE report for a limited time only.

Clayden Law

Clayden Law

Clayden Law advise global businesses that buy and sell technology products and services. We are experts in information technology, data privacy and cybersecurity law.

Lookout

Lookout

Lookout is the data-centric cloud security company that uses a defense-in-depth strategy to address the different stages of a modern cybersecurity attack.

InAuth

InAuth

InAuth Security Platform delivers advanced device identification, risk detection, and analysis capabilities to help organizations limit risk and reduce fraud.

Second Nature Security (2NS)

Second Nature Security (2NS)

2NS provide vulnerability assessment, penetration testing, security audit, application and network security and secure software development processes.

Serverless Computing

Serverless Computing

Serverless Computing London will help architects, developers and CIOs decide on the best path to a more efficient, scalable and secure computing future.

Araxxe

Araxxe

Araxxe delivers Revenue Assurance, End-to-End Billing Verification and Interconnect Fraud Detection solutions to communication companies worldwide.

Hysolate

Hysolate

Hysolate has transformed the endpoint, making it the secure and productive environment it was meant to be.

Sierra Ventures

Sierra Ventures

Sierra Ventures is an early-stage venture firm investing globally with a focus on Next Generation Enterprise and Emerging Technologies.

Siemens

Siemens

Siemens Industrial Security Services provide solutions for cybersecurity in automation environments based on the recommendations of the international standard IEC 62443.

Hudson Cybertec

Hudson Cybertec

Hudson Cybertec are an internationally recognized Subject Matter Expert for cyber security in the Industrial Automation & Control Systems (IACS) domain.

Dasera

Dasera

Dasera’s Radar and Interceptor products deliver visibility, governance, and protection solutions for data-agile companies.

Fortified Health Security

Fortified Health Security

Fortified’s team of cybersecurity specialists is dedicated to helping healthcare providers, payers and business associates protect their patient data across the Fortified Healthcare Ecosystem.

WhizHack Technologies

WhizHack Technologies

WhizHack's mission is to not only create a pipeline of cyber security products but also to empower people to sustainable innovation in securing digital assets of tomorrow.

HTL Support

HTL Support

HTL Support, your trusted partner for comprehensive IT support in London. We specialize in delivering top-tier IT solutions tailored to both large enterprises and small businesses.

Cyviation

Cyviation

Cyviation's mission is to mitigate ever-growing and menacing Cyber Security threats, focusing on aircraft, airlines and airports.

PRE Security

PRE Security

PRE Security is leading the transition into the next era of AI cybersecurity with a new model: Predict & Prevent.

Anjolen

Anjolen

Anjolen provides expertise in cybersecurity, compliance and cyber forensic services.